1. Technical Field This disclosure relates to an information processing apparatus, a software update method, and an image processing apparatus, and more specifically to an information processing apparatus or an image processing apparatus having a primary module and a backup module, and a software update method of the information processing apparatus or the image processing apparatus.
2. Description of the Related Art
As security becomes increasingly critical, information processing apparatuses such as personal computers and image processing apparatuses such as Multi Function Peripherals (MFP) capable of encrypting information stored in the apparatuses to avoid wiretapping have become available lately. For example, Patent Document 1 describes a PC adopting the specifications of Trusted Computing Platform Alliance (TCPA) in which information is encrypted using a Trusted Platform Module (TPM). The TPM is realized in a chip directly mounted on, for example, a motherboard.
On the other hand, to respond to a failure, for example, a duplexing system has been employed in information processing apparatuses such as personal computers and image processing apparatuses such as MFPs. Furthermore, to respond to a bug, a security hole, addition or modification of functions, the programs have also been updated in information processing apparatuses such as personal computers and image processing apparatuses such as MFPs (see, for example, Patent Document 2).
Herein, a conventional method of encrypting and decrypting information using the TPM, and a program update (hereinafter referred to as “ROM update”) are briefly described. FIG. 1 shows an exemplary configuration of a conventional information processing apparatus. The information processing apparatus includes a CPU 1, a BIOS ROM 2, a disk 3, a non-volatile (NV) RAM 4, and a main memory 5 as the hardware configuration. The CPU 1, the BIOS ROM 2, the disk 3, the NVRAM 4, and the main memory 5 are connected to each other via a bus 6.
The BIOS ROM 2 stores a Basic Input/Output System (BIOS) 10 module. The disk 3 stores a loader 11, a kernel 12, and a root file system (Rootfs) 13 modules. The NVRAM 4 stores plain text data 14 that users use.
The root file system 13 manages a boot program 21, a ROM update flag control program 22, a blob decryption section 23, and an application 24 that are stored in the disk 3. It should be noted that each of the BIOS 10, the loader 11, the kernel 12, the root file system 13 modules and the like is loaded into the main memory 5 to be executed. In the following, the BIOS 10, the loader 11, the kernel 12, the root file system 13 modules and the like are described as processing subjects.
A boot sequence of the information processing apparatus in FIG. 1 is described with reference to FIG. 2. FIG. 2 is a sequence diagram showing the processes of the information processing apparatus being booted. In step S1, the BIOS 10 loads and boots the loader 11. In steps S3 through S5, the loader 11 loads and boots the kernel 12 and the root file system 13.
In step S6, the kernel 12 boots the boot program 21 in the root file system 13. In step S7, the boot program 21 boots the application 24 in the root file system 13. In step S8, the application 24 is now capable of writing data into the NVRAM 4 and reading, for example, plain data 14 in the NVRAM 4.
Next, a mechanism of the TPM is briefly described. In the following, an example where the loader 11 boots the kernel 12 is described.
FIG. 3 is a diagram schematically showing a process of storing a hash value into the TPM 7. In step S11, the loader 11 loads the kernel 12 from the disk 3 into the main memory 5. In step S12, the TPM 7 stores, for example, a hash value into a Platform Configuration Register (PCR), the hash value being calculated based on a method of generating a fixed-length pseudo random number from an original document. In FIG. 3, a hash value “0x3a” is stored in a “PCR3”. In step S13, the loader 11 boots the kernel 12.
In this manner, when the TPM 7 boots, for example, the BIOS 10, the loader 11, the kernel 12 and the root file system 13 modules, the TPM 7 stores hash values calculated from the modules in the PCRs.
FIG. 4 is a drawing schematically showing a decrypting process of the information using the TPM 7. In the TPM 7, four hash values calculated from the corresponding modules are stored in “PCR1” through “PCR4”. When the information is decrypted using the TPM 7, a Blob A 41 and a Blob B 42 each including at least one of the “PCR1” through “PCR4” data are used.
In the Blob A 41, a value “0x3a” is stored in the “PCR3”. In the Blob B 42, values “0xe9”, “0x12”, “0x3b”, and “0x06” are stored in the “PCR1” through the “PCR4”, respectively. In the TPM7, values “0xe9”, “0x12”, “0x3a”, and “0x06” are stored in its “PCR1” through the “PCR4”, respectively.
In case of Blob A 41, the same hash value is in the “PCR3” of the Blob A 41 and the “PCR3” of the TPM 7. Therefore, the TPM 7 permits taking the information from the Blob A 41. In case of Blob B 42, a hash value in the “PCR3” of the Blob A 41 is different from that in the “PCR3” of the TPM 7. Therefore, the TPM 7 does not permit taking the information from the Blob A 41. It should be noted that when “no setting” may be stored in, for example, the “PCR1”, the “PCR2”, and the “PCR4” in the Blob A 41, the TPM 7 does not use the register to determine whether to permit taking the information.
FIG. 5 shows an exemplary configuration of an information processing apparatus having the TPM. The information processing apparatus in FIG. 5 includes the CPU 1, the BIOS ROM 2, the disk 3, the NVRAM 4, the main memory 5, the TPM 7, and a Hard Disk Drive (HDD) 8 as the hardware configuration. The CPU 1, the BIOS ROM 2, the disk 3, the NVRAM 4, the main memory 5, the TPM 7, and a Hard Disk Drive (HDD) 8 are connected to each other via a bus 6.
The configuration of the information processing apparatus in FIG. 5 is different from that in FIG. 1 in that the information processing apparatus in FIG. 5 further includes the TPM 7 and the HDD 8. Furthermore, the disk 3 stores a Blob 43 in addition to the configuration in FIG. 1. The Blob 43 includes an encrypted encryption key 51 for the NVRAM 4. The Blob 43 stores hash values each calculated from the BIOS 10, the loader 11, the kernel 12, and the root file system 13 in the “PCR1” through “PCR4”, respectively.
The NVRAM 4 stores encrypted data 15 in addition to the plain text data 14. The HDD 8 stores encrypted data 16. The same reference numerals are used in the figure to describe those components that are identical to the components of FIG. 1 without repeated description. The description of the Blob having an encrypted encryption key of the HDD 8 is also omitted.
A boot sequence of the information processing apparatus in FIG. 5 is described with reference to FIG. 6. FIG. 6 is a sequence diagram showing exemplary processes of the information processing apparatus being booted. In step S21, the BIOS 10 loads the loader 11. In step S22, a hash value of the loader 11 is stored in a PCR of the TPM 7. In step S23, the BIOS 10 boots the loader 11.
In step S24, the loader 11 loads the kernel 12. In step S25, a hash value of the kernel 12 is stored in a PCR of the TPM 7. In step S26, the loader 11 loads the root file system 13. In step 27, a hash value of the root file system is stored in a PCR of the TPM 7.
In step S28, the loader 11 boots the kernel 12 and the root file system 13. In step S29, the kernel 12 boots the boot program 21 in the root file system 13. In steps 30 and 31, the boot program 21 boots the blob decryption section 23 and the application 24 in the root file system 13.
In step S32, the blob decryption section 23 acquires the encryption key 51 for the NVRAM 4 from inside the Blob 43. In step S33 by using the encryption key, the application is now capable of writing encrypted data into the NVRAM 4 and reading encrypted data 14 stored in the NVRAM 4.
Patent Document 1: Japanese Patent Application Publication No. 2004-282391
Patent Document 2: Japanese Patent Application Publication No. 2005-196745
However, in an information processing apparatus having a configuration as shown in FIG. 5, the following problem may occur during the ROM update. FIG. 7 is a drawing schematically illustrating a problem having occurred during the ROM update. In an information processing apparatus having a configuration as shown in FIG. 5, when the BIOS 10 stored in the BIOS ROM 2 is replaced by a new BIOS 10a, the Blob 43 corresponding to the BIOS 10 is required to be updated to a Blob A 43a that corresponds to the BIOS 10a. 
Unfortunately, in a conventional information processing apparatus, when an update process from the Blob A 43 to the Blob A 43a is interrupted due to some reason, the hash value stored in the “PCR1” of the TPM 7 may become different from the hash value stored in the “PCR1” of the Blob A 43a. A problem arises that when the hash value stored in the “PCR1” of the TPM 7 becomes different from the hash value stored in the “PCR1” of the Blob A 43a, in that the encryption key 51 for the NVRAM 4 cannot be taken from the Blob 43a, resulting in that the encrypted data stored in the NVRAM 4 cannot be decrypted.
This problem illustrated in FIG. 7 can be solved when an information processing system has a configuration as shown in FIG. 8. The information processing apparatus in FIG. 8 includes a primary system 81 and a backup system 82, constituting a duplex system. The primary system 81 includes the BIOS 10, the loader 11, the kernel 12, and the root file system 13. The backup system 82 includes the BIOS 10b, a loader 11b, a kernel 12b, and a root file system 13b. 
It should be noted that the BIOS 10, the loader 11, the kernel 12, and the root file system 13 are included in primary modules, and the BIOS 10b, the loader 11b, the kernel 12b, and the root file system 13b are included in backup modules.
Typically, an information processing apparatus is booted sequentially in an order of the BIOS 10, the loader 11, the kernel 12, and the root file system 13. Hereinafter, a procedure of booting like this is referred to as a “boot path”. In the example of FIG. 8, due to an error having occurred in the loader 11, the booth path becomes: BIOS 10 →loader 11b→kernel 12→root file system 13.
That is, in an information processing apparatus having the backup system 82, when a module of the primary system has a problem, the same kind of module in the backup system 82 can usually be booted.
A booth path can be changed by, for example, a ROM update flag control program.
Because of this structure, there is a problem that the same number of Blobs which is equal to the number of booth paths defined by the combination of the modules in the primary system 81 and the modules in the backup system 82 are required to be provide. FIG. 9 is a drawing schematically illustrating a problem that may occur when information is encrypted and decrypted using the TPM in an information processing apparatus having a backup system.
Further, there is another problem in an information processing apparatus having a configuration as shown in FIG. 9 that when the BIOS 10 stored in the BIOS ROM 2 is updated to the BIOS 10a, all of the plural Blobs corresponding to the BIOS 10 are required to be updated so as to correspond to the BIOS 10a. FIG. 10 is a drawing schematically illustrating a problem occurring while information is encrypted and decrypted using the TPM, where the ROM update is executed in an information processing apparatus having a backup system.
As described, when a conventional system is arranged to employ a duplex system having both a primary system and a backup system, have a ROM update capability, and improve the security by adding both an encryption and a decryption capability of information by using the TPM 7, it takes a lot of effort to manage the Blobs 73.